Yahoo fined $334,000 in the UK for failing to disclose 2014 hack | Tech News

Yahoo has been fined by a UK watchdog group.

Ethan Miller / Getty Images

Yahoo has been hit with another fine over its cybersecurity failures. 

The Information Commissioner’s Office, the UK’s independent group dedicated to enforcing information rights, announced  Tuesday that it is fining Yahoo’s UK Services £250,000, or about $334,000, for a data breach in November 2014. Hackers had access to sensitive data from about 500 million Yahoo accounts, of which 515,121 were in the UK.

Yahoo isn’t being fined because hackers broke into its system and stole data. Rather, the ICO is fining the company because it took almost two years for people to find out. The group said Yahoo failed to take appropriate measures to protect the data of more than half a million people and did not meet the UK’s data protection standards.

“People expect that organizations will keep their personal data safe from malicious intruders who seek to exploit it,” ICO deputy commissioner of operations, James Dipple-Johnstone, said in a statement. “The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop UK citizens’ data being compromised.” 

The fine announced Tuesday pales in comparison to the $35 million fine the US Securities and Exchange Commission slapped on Altaba, the part of Yahoo that remained after the sale of key assets to Verizon. 

Yahoo’s 2014 breach, a state-sponsored attack, was considered the largest data breach in history until Yahoo announced that all 3 billion accounts on its website had been compromised in a separate hack from 2013. 

The ICO said that Yahoo’s security inadequacies had been around for “a long period of time without being discovered or addressed.” 

Disclosing breaches in a timely manner is crucial for both investors and potential victims of massive hacks. It’s important enough that the European Union’s General Data Protection Regulation (GDPR) now requires companies to notify authorities within 72 hours of learning about a breach. It’s different in the US, depending on the state you’re in — but most agree that two years is too long. 

In March, the Pennsylvania attorney general sued Uber for waiting more than a year to disclose a data breach.

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Rebooting the Reef: CNET dives deep into how tech can help save Australia’s Great Barrier Reef.

You might also like
Leave A Reply

Your email address will not be published.